CCIE Pursuit Blog

August 10, 2008

Internetwork Expert Volume II: Lab 5 – Section 10

Section 10 – IP Services – 4 Points

10.1 DNS

Configure your network so that telnet sessions from r6 can reach other routers by their DNS names.  This sounds like a simple matter of just assigning host names to the routers’ loopback addresses. But they also specify a DNS server IP address.  There’s also this:

“This configuration should not affect any other [that vty 0 4] lines on r6”

Configuring DNS

The solution is very simple:

r6(config)#ip name-server

And then it gets weird:

r6(config)#ip domain-lookup
r6(config)#line con 0
r6(config-line)#transport preferred none

I say weird because one of the requirements is “if a user mistypes a command while on the console port it should not try to look it up in DNS.”  Generally, “no ip domain-lookup” takes care of this. It turns out that “transport preferred none” will handle this as well, but at the line level.  So as long as you are connected via the console port you’ll be fine.  Turning on “ip domain-lookup” globally will ensure that all other users (not on the console port) will endure the frustration of DNS lookups for fat-fingered commands. 

10.2 Local Authorization

Configure r6 so that NOC users login (via telnet) at privilege level 2 and can only see the running configuration for hostname, interfaces, interface encapsulations, and any IP access-lists applied to interfaces.

r6(config)#username NOC privilege 2 password CISCO
r6(config-line)#do sh run | sec vty
line vty 0 4
 password cisco
r6(config)#line vty 0 4
r6(config-line)#login local

Now to configure what options privilege level 2 users can see:

privilege interface level 2 ip access-group
privilege interface level 2 ip <- IOS added this
privilege interface level 2 encapsulation
privilege configure level 2 interface
privilege configure level 2 hostname
privilege exec level 2 show running-config
privilege exec level 2 show <- IOS added this

Testing it out: 

Trying … Open

User Access Verification

Username: NOC
r6#sh privi
Current privilege level is 2
r6#sh run
Building configuration…

Current configuration : 204 bytes
hostname r6
interface Loopback0
interface FastEthernet0/0
interface Serial0/0
interface Serial0/0.1 multipoint
interface FastEthernet0/1


That looks right except for the encapsulation.  s0/0 is configured for Frame-Relay and that should show up.  If I changed it to “privilege interface level 2 encapsulation frame-relay” then it would work.

I also don’t understand why IE did not set up a NOC username and login local under the vty line.

Internetwork Expert Volume II: Lab 5 – Section 9

Section 9 – System Management – 6 Points

9.1 SNMP

This is a basic SNMP task.  You’ll see variations of this same task in nearly all of the IE Volume II labs.  The only possible “gotcha” requirements are:

“This ( is the only station that should be allowed to manage r6.”
“Attempts by other devices to manage r6 via snmp should be logged.”

Our ACL should look like this:

r6(config)#access-list 91 perm
r6(config)#access-list 91 deny any log

You need to add the explicit deny any statement in order to log traffic from sources other that the management station in the permit statement.

r6(config)#snmp-server community CISCORO ro 91
r6(config)#snmp-server community CISCORW rw 91

9.2 Syslog

This was an easy task as well.  The only slightly odd bit:

“r4 and r5 should include their hostname in the syslog messages.”

You can find this (as well as the commands for the other requirements) by just issuing “logg ?” in configuration mode:

r4(config)#logg ?
  origin-id            Add origin ID to syslog messages

logging origin-id

r4(config)#logg origin-id ?
  hostname  Use origin hostname as ID
  ip        Use origin IP address as ID
  string    Define a unique text string as ID

r4(config)#logg origin-id hostname

Internetwork Expert Volume II: Lab 5 – Section 8

Section 8 – Security – 6 Points

8.1 Traffic Filtering

Allow ICMP, UPD, and TCP traffic originated from inside the network to go out to and back from r4 to BB3.  We also need to allow r4 to ping and telnet to BB3.  That’s going to need a reflexive ACL. Filter everything else except the routing protocols (RIP and BGP) between r4 and BB3.

This is 3 points that I would definitely skip in the lab.  Breaking connectivity to a backbone device could end up costing you $1500.  🙂

r4(config)#ip access-l ex IN_FROM_BB3
r4(config-ext-nacl)#perm icmp any any echo-reply
r4(config-ext-nacl)#perm tcp any eq telnet any ?
  ack          Match on the ACK bit
  dscp         Match packets with given dscp value
  eq           Match only packets on a given port number
  established  Match established connections  
r4(config-ext-nacl)#perm tcp any eq telnet any established
4(config-ext-nacl)#permit tcp any any eq bgp
r4(config-ext-nacl)#permit tcp any eq bgp any  <- I usually forget this 😦
r4(config-ext-nacl)#permit udp any any eq rip
r4(config-ext-nacl)#evaluate REFLEXIVE

r4(config-ext-nacl)#ip access-list ex OUT_TO_BB3
r4(config-ext-nacl)#perm tcp any any reflect REFLEXIVE
r4(config-ext-nacl)#perm udp any any reflect REFLEXIVE
r4(config-ext-nacl)#perm icmp any any reflect REFLEXIVE

r4(config-ext-nacl)#int fa0/0
r4(config-if)#ip access-group IN_FROM_BB3 in
r4(config-if)#ip access-group OUT_TO_BB3 out

This is the first time that I’ve actually seen an “A” on a traceroute:


Type escape sequence to abort.
Tracing the route to

  1 !A  *  !A

A = Administratively unreachable.  Usually, this output means that an access list is blocking traffic.

8.2 DoS Prevention

“…configure r1 and r6 to not receive any ICMP echo request sourced from the network inbound on their interfaces attached to VLAN 162.”
“Do not apply any configuration on either r1 or r6 to accomplish this.”

r1 and r6 connect to BB2 on an Ethernet connection.  If we can’t configure r1 or r6 then we must need to configure the switch port connected to BB2 (sw2 fa0/24).

Configuring TCP Intercept (Preventing Denial-of-Service Attacks)

Sweet.  So I set up my ACL:

sw2(config)#do sh run | i 182
access-list 182 permit tcp

and then I tried to enable TCP Intercept:

sw2(config)#ip tcp intercept list 182
% Invalid input detected at ‘^’ marker.

sw2(config)#ip tcp ?
  async-mobility      Configure async-mobility
  chunk-size          TCP chunk size
  mss                 TCP initial maximum segment size
  path-mtu-discovery  Enable path-MTU discovery on new TCP connections
  queuemax            Maximum queue of outgoing TCP packets
  selective-ack       Enable TCP selective-ACK
  synwait-time        Set time to wait on new TCP connections
  timestamp           Enable TCP timestamp option
  window-size         TCP window size

Great.  This is not available on the 3560.

Ummm…it turns out that I needed to read the tasks closer.  I keyed in on DoS prevention and forgot that I was just supposed to filter ICMP echo requests.  🙂

Starting over – this looks like a simple VACL task.  Just drop ICMP echo requests from a specific network for VLAN 162.

Configuring VLAN Maps

First match the traffic that we want to drop (VACL use a logic similar to route-maps):

sw2(config)#access-list 182 permit icmp any echo

Now build the VACL:

sw2(config)#vlan access-map TASK_8_2
sw2(config-access-map)#match ip add 182
sw2(config-access-map)#action drop

Remember to include a statement to forward all other traffic:

sw2(config)#vlan access-map TASK_8_2 1000
sw2(config-access-map)#action forward

Now just add the VACL to the VLAN with the ‘vlan filter’ command. Don’t do this:

sw2(config)#flanfilter TASK_8_2 vlan-list 162
% Unrecognized command

It’s sad that the IOS does not know about the tasty dessert that is flan, but the IOS does not get out much.  🙂

sw2(config)#vlan filter TASK_8_2 vlan-list 162

sw2#sh vlan access-map
Vlan access-map “TASK_8_2”  10
  Match clauses:
    ip  address: 182
Vlan access-map “TASK_8_2”  1000
  Match clauses:

sw2#sh vlan filter
VLAN Map TASK_8_2 is filtering VLANs:

Blog at